Thoughts about Network Design

[Brogren_]

Hey,

I have read hundreds of threads around the internet, but can't really point out the prefered design. This is for home use, but i will use it to gain experience in networking and Security. A more advanced set up is really what i want. I have drawned a scheme below and would like some comments (pros and cons) about it.. I know of course that i can use one router/firewall for the purposed build, but that's to simple i believe. Thanks in advance

Edit: In the picture below i mean routing and firewall features for the interface set up for the DMZ. And the equipment in the scheme is not everything i will be using. I try to keep it simple.

 

[Nicklebon]

I would be FAR more concerned about having UTM protecting severs that were accepting external connections vs clients that did not. Personally, I would protect both but *IF* I could only protect one it would the one accepting connections.

 

[Innocence]

x2 to Nicklebon - Why DMZ anything? The point of a firewall is to pass through only what needs to get inside - if you have to DMZ a server, it's not doing it's job.

It's like having an armed guard at your back door, but leaving your front door wide open.

 

[Nicklebon]

A device that accepts connections from untrusted sources should never be placed on a trusted network. No firewall can protect you 100% of the time. If the device is compromised and sits inside your network you are now owned as the attacker now sits inside your network. Any device that is exposed to outside connections should sit on a separate network, have minimal connections inside and be considered untrusted itself.

 

[TCM]

What's the point of the basic firewall?

Make the real firewall the central one with legs to the router, to the ESXi host, to the internal network and I would even firewall the access point.

 

[Brogren_]

Thanks for the reply's. I have made a new scheme. Looks like the other one but may be more clear to understand. This must be the way to go? More secure then using one firewall and i can use functionality in the Firewall for the internal network that i don't need to use for the "main" firewall. Should i use the main firewall for routing and reverse proxy only?

How do i manage the first firewall in the most secure way from the inside? And for the time being, the servers in the DMZ would be accessed via ssh (Linux only). But when i add a Windows Server i would like to be able do manage these without opening up RDP to the outside. Any thoughts on that?

 

[Jay_2]

I have my esxi host connected to both the DMZ and the LAN with 2 NICs then I can build DMZ VMs and LAN VMs. It is a slight security risk but its the easiest way to do it.